Anton Chuvakin, formerly a log ninja and currently a VP at Gartner, has been whipping up some emphatic commentary on the SIEMs. You know, those ugly, inflexible monoliths which have dominated the decision layer of security since a decade, just refusing to go away.

He has driven home a couple of points on the absolute operational fragmentation of the security architecture. Like, there are more security boxes within an enterprise than there are people to manage them [1]. Or the fact that there could actually be a thing called “SaaS SIEM” – though I vehemently disagree with that term (more on that later) [2].

Sitting and building platforms in India gives you a very different perspective. You exist in a market where the deployment rates of technologies like the SIEM could be less than 1%. You realise, having investigated dozens of APTs, that the relative immaturity of the security architecture has no direct bearing on the perceived threat landscape, or even the economics of cybersecurity. A stupid, little irritant like WannaCry would pretty much have the same impact here as any other part of the world – and I am not talking about the mere numbers.

Probably because the American cybersecurity vendor landscape is pacing ahead by a few generations, Chuvakin may have missed emphasizing upon something else. The secondary catalyst of this domain, after offensive and defensive technological disruption, is economics. The moment you mull over it, the rabbit hole begins to reveal itself.

Richard Stiennon, another of Gartner’s alumnus, rightly puts it – this is the only field of IT whose biggest driver is external: the threat actor [3]. Now, imagine, how complex the econo-metrics to describe this larger ecosystem would be.

Let’s factor in some parts of the equation. I believe that the ‘Western’ security products are generally priced exorbitantly. Those price tags just don’t make sense especially in a market like India. In fact, I see a bubble there.

I had the realisation that this is because of our over-reliance on product engineering. The vendors bet on high CApital EXpenditure associated with the acquisition of the security architecture hoping to make huge profits, while the customers struggle with ballooning, mostly hidden OPerating EXpenditures. So grim is the situation that curbing the OpEx has become an existential challenge for the enterprises, a do-or-die situation much like cybersecurity itself.

The developmental paradigm of most American security companies assumes that the customer needs product engineering. In a pure-play services market like India, it’s easy to call the bluff on them. What the customers really anticipate is solutions engineering – an ability to transparently, seamlessly merge and control both CapEx and OpEx – and those vendors really don’t have the ability to horizontally scale up for that.

Moreover, this is happening at a time when skeletal Big Data stacks have become mature enough to serve most of the platform requirements like decision analytics, orchestration, event and intelligence correlation, risk quantification, and threat hunting, etc.

In fact, we at Bhujang realised this two years ago. “We do solutions engineering, not products” became our mission statement.

So, let me return to the objection of using the term “SaaS SIEM”. I think it is force-fitting the round peg of solutions into the square hole of products. Although I am fully in agreement with Chuvakin’s premise of shared or managed analytics being more actionable and cost-effective.

I will digress a bit now to another lingering problem. I see that many vendors are also misselling enterprise grade products to the homeland security market. That messes up with a nation’s economic resilience against cyber threats.

The reason I am pointing it out in this article is because the vendors haven’t made an honest effort to demarcate these two different territories. I have written a lot about the extreme lack of inter-compatibility within the enterprise-centric security architecture [4]. Somewhere down the line, we need to start acknowledging the ‘emergent’ nature of cybersecurity, to better understand why enterprises will keep on getting hacked. I think, beyond a certain point, what we would really need are universal, inter-operable and machine-to-machine layers of abstraction – and the enterprise vendors need to stay the hell away from them!


1.      Security Without Security People: A [Sad] Way Forward?

2.      Action Item: SaaS SIEM Users Sought!

3.      The Entire IT Security Landscape

4.      For Enterprises Giving Up on Cybersecurity Vendors: Abstraction Is the Future

Written by Pukhraj Singh